Tunneled-User-Name
d.thembiliyagoda at lancaster.ac.uk
d.thembiliyagoda at lancaster.ac.uk
Tue Jul 12 10:36:35 CEST 2011
Hi ,
Thank you very much for the example. its working.
Regards
Champika
On Mon, 11 July, 2011 4:24 pm, Alexander Clouter wrote:
> d.thembiliyagoda at lancaster.ac.uk wrote:
>>
>> I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius
>> server.How can I get the tunnelled User-Name (User-Name used in inner
>> authentication phase) using unlang in FreeRADIUS server? Now I can only
>> get the User-Name used for the outer authentication (ex: anonymous).
>>
> PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a
> double-inner in play. The best suggestion I have (after years of tweaking
> it to be just right) is in your inner authorize use: ----
> authorize { update outer.request { User-Name := "%{request:User-Name}"
> }
> update reply { User-Name := "%{request:User-Name}"
> }
>
>
> [snipped]
>
>
> update reply { Auth-Type := "%{control:Auth-Type}"
> }
> }
> ----
>
>
> On the outer layer, you then use
> '%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This
> means you get the inner username for: * PAP, MSCHAPv2 and EAP-MSCHAPv2
> authentications * when your inner server rejects the request (ie. bad
> password) (this is why you stuff the inner username into outer.request *
> TTLS/PEAP has the option of TLS cached sessions which is *good*,
> doing things this way means you still get the inner name for resumed
> sessions
>
> As a bonus, the Auth-Type is extractable..if you use TLS cached
> sessions, then this will be EAP.
>
> Cheers
>
>
> --
> Alexander Clouter
> .sigmonster says: It was Penguin lust... at its ugliest.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list